Hackers stole partial payment information and personally identifying data associated with some Discord users after compromising a third-party customer service provider.
The attack occurred on September 20 and affected a limited number of users who had interacted with Discord’s customer support or Trust and Safety teams.
Discord was originally created as a communication platform for gamers, who represent more than 90% of the userbase. It has since expanded to various other communities, allowing text messages, voice chats, and video calls. Platform statistics indicate that more than 200 million people use Discord every month.
Hackers Demanded a Ransom
In the notification sent to affected users, the messaging company stated that on September 20, "an unauthorized party gained limited access to a third-party customer service system used by Discord." Discord publicly disclosed the incident on Friday, saying it took immediate action. This included revoking the customer support provider’s access to the ticketing system, launching an internal investigation, engaging a leading computer forensics firm to support remediation efforts, and engaging law enforcement, Discord stated.
The attack appears to be financially motivated, as the hackers demanded a ransom from Discord in exchange for not leaking the stolen information.
Exposed data includes personally identifying information such as real names and usernames, email addresses, and other contact details provided to the support team. The social communication service says IP addresses, messages, and attachments sent to customer service agents were also compromised.
For a small number of users, the hackers also accessed photos of government issued identification documents, including driver’s licenses and passports. Partial billing information, like payment type, the last four credit card digits, and purchase history associated with the compromised account, were exposed as well.
The VX-Underground security group notes that the type of data stolen from Discord users represents "literally peoples entire identity." Alon Gal, Chief Technology Officer at threat intelligence company Hudson Rock, believes that if the hackers release the Discord data, it could provide crucial information to help uncover or solve crypto hacks and scams.
"I’ll just say that if it leaks, this db is going to be huge for solving crypto related hacks and scams because scammers don’t often remember using a burner email and VPN and almost all of them are on Discord," says Alon Gal.
Currently, it is unclear exactly how many Discord users are affected. The name of the third-party provider or the precise access vector has not been disclosed publicly. However, the Scattered Lapsus$ Hunters (SLH) threat group claimed the attack, asserting they breached a Zendesk instance used by Discord for customer support. An image the hackers posted online showed a Kolide access control list for Discord employees with access to the admin console. Kolide is a device trust solution that connects to the Okta cloud-based Identity and Access Management (IAM) service for multi factor authentication. This incident is similar to recent events where the ShinyHunters extortion group compromised hundreds of companies’ Salesforce instances using stolen Salesloft Drift OAuth tokens.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
